Google anti-phishing gave out passwords

Written by Brett Thomas

January 23, 2007 | 14:51

Tags: #phishing

Companies: #google

"The best laid plans of mice and men..." Oh, Steinbeck, if you only had a clue how true this really is. Many of you can sympathise with this - you go to do something nice, something well-planned, and something horribly awful happens as a result. Such is the way with Google and its anti-phishing plugin - which just so happened to accidentally save users' passwords and emails, then display them publicly.


Fortunately, it's not as if Google actually scripted something intentionally to leave this back-door vulnerability. It actually has little to do with Google's code itself and more to do with the way many phishing sites are concocted. Often, when entering into a phishing site, it will put your username/password in plain text in the URL. Google's anti-phishing is supported by a publicly available blacklist - which then saved all of those URLs for anyone to see.

The issue was caught and brought to Google's attention by a web security company known as Finjan. Since then, our favourite searching company has issued a patch for its anti-phishing plugin which strips any user data from blacklist URLs. Finjan actually recommends disabling any feature (which is common in toolbars and other 'assistant' programs) that sends URL data back home, just to be safe.

Though the quick response is admirable, it does illustrate a basic flaw in the premise - sometimes the cure can be worse than the disease. It raises an important question as to the benefits of total integration - when one company, however honest it may be, starts doing too much, are we any better off?

Let us know your thoughts on the slip-up in our forums.
Discuss this in the forums
Mod of the Month June 2020 in Association with Corsair

July 1 2020 | 17:34